Operational risk

Operational risk framework Operational risk measurement

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external causes, whether deliberate, accidental or natural. It is inherent in all UBS's activities, not only in the business the firm conducts but due to the fact it is a business – because UBS is an employer, it owns and occupies property and holds assets, including information, belonging to both the firm and its clients. The approach to operational risk is not designed to eliminate risk per se but, rather, to contain it within acceptable levels, as determined by senior management, and to ensure that the firm has sufficient information to make informed decisions about additional controls, adjustments to controls, or other risk responses. The Group Chief Risk Officer (Group CRO) and the Group Head of Operational Risk (who reports to the Group CRO) are responsible for the independence, objectivity and effectiveness of the operational risk framework.

Operational risk framework

Every function, whether a front-end business or a control or logistics unit, must manage the operational risks that arise from its own activities. Because these risks are all pervasive, with a failure in one area potentially impacting many others, UBS's framework is based on mutual oversight across all functions. Each business group has therefore established cross-functional bodies as an integral part of its governance structure, to actively manage operational risk.

To ensure the integrity of risk management decisions, each business group also has an Operational Risk Control unit, the head of which reports functionally to the Group Head of Operational Risk. The primary remit of these units is to confirm the effective implementation of the operational risk framework in the business group, to ensure transparent assessment and reporting of risks to senior management, and to coordinate with their counterparts in other business groups and with the Group Head of Operational Risk on cross-business group matters.

The foundation of the operational risk framework is the definition by all functions of their roles and responsibilities so that, collectively, they can ensure that there is adequate segregation of duties, complete coverage of risks and clear accountability. From this analysis, they develop control objectives and standards to protect UBS's tangible and intangible assets and interests, based on the types of operational risk events that might arise, ranging from daily reconciliation problems to potentially severe events such as fraud. UBS recognizes that it cannot eliminate all risks, because errors and accidents will always happen, and that even where it is possible it is not always cost effective to do so. UBS's internal control framework differentiates potential events depending on their likely frequency and impact. Its mitigation and avoidance efforts are focused on areas where UBS believes it is most exposed to severe events – including both those that are reasonably foreseeable and those that, while not predictable, are thought to be reasonably possible. For lower impact risks UBS concentrates on management and monitoring.

The functions monitor compliance with their controls and assess their operating effectiveness in several ways, including self-certification by staff, and evaluation of responses by management. Additionally, they track a wide range of metrics to provide potential early warning of increased risk associated with non-attainment of control objectives. These include numbers and characteristics (severity, size, age, etc.) of, for example, client complaints and claims, deal cancellations and corrections, unreconciled items on cash and customer accounts, and systems failures. The implications of internal and external audit findings and other relevant sources of information are also assessed.

As major operational risk events occur, UBS assesses their causes and the implications for its control framework, whether or not they lead to direct financial loss. This includes events affecting third parties that are relevant to the firm's business if sufficient information is made public. It is important to use all available information to test the control framework because, even if an internal event does not lead to a direct or indirect financial loss, it may indicate that UBS's standards are not being complied with.

The totality of this information is reviewed by functional managers to assess their operational risk exposure and the actions needed to address specific issues. These issues are formally captured on a risk inventory, which forms the basis of reporting to senior management. Regular reports are made both within the business groups and to the Group CRO to allow senior management to assess the overall operational risk profile.

Top

Operational risk measurement

UBS has developed a model for quantification of operational risk, which meets the regulatory capital standard under the Basel II Advanced Measurement Approach (AMA). It has two main components. The historical component is based on UBS's own internal losses and is used primarily to determine the expected loss portion of the capital requirement. The firm has been collecting operational risk event data (both profits and losses) since 2002.

The scenario component of the AMA model is used primarily to determine the unexpected loss portion of the capital requirement. It is based on a set of generic scenarios that represent categories of operational risks to which UBS is exposed. The scenarios themselves are generated from an analysis of internal and external event information, the current business environment, and UBS's own internal control environment through comparison to the risk inventory. For each scenario, UBS estimates a base case mainly derived from its own experience, a stressed case mainly derived from integrating experiences of select peers and a worst case based on events experienced by an expanded set of peers in the financial industry. The scenarios are reviewed at least annually by experts in the relevant subject matter and their risk control counterparts to ensure their validity and may be updated based on material new information or events that occur.

Currently, UBS does not reflect mitigation through insurance in its AMA model.

UBS does not set limits on operational risk but reports the measured risk through the standard reporting processes, and includes it in the overall quantification of risk under the Earnings-at-risk and Capital-at-risk frameworks.

With the implementation of Basel II from 1 January 2008, UBS calculates its operational risk regulatory capital requirement using the AMA model for the consolidated group and the parent bank, in accordance with the requirements of the Swiss Federal Banking Commission, UBS's primary regulator. For regulated subsidiaries, the simpler basic indicator or standardized approaches are adopted, as agreed with local regulators.

The operational risk framework is primarily qualitative rather than quantitative – financial losses and capital considerations are only one, and not the most important, element. UBS uses the operational risk framework as the basis for specialist internal control assessments in areas such as legal, compliance, tax and human resources and to meet internal control-related regulatory requirements, such as Section 404 of the US Sarbanes-Oxley Act of 2002, as well as Basel II.

Top